Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate most recent event ‘a’ with event ‘b’

larryp
Explorer
‎05-16-2017 12:59 PM

I have a need to pull a field from the most recent event type ‘a’ and add it to event type ‘b’ for those records with the same value for another field (account, for example).

E.g., simplified,

t1 type=a account-a field=value1
t2 type=a account-a field=value2
t3 type=b account-a
t4 type=b account-a
t5 type=a account-a field=value3
t6 type=b account-a
t7 type=b account-a

at t3 and t4 type=b should have value2 added, and at t6 and t7 it should have value3 added.

I've tried with eventstats but run into a limitation due to the number of accounts. Transaction doesn't appear to have a way of ending a transaction on an event prior to a value change. We're considering putting the most recent unique account/field combination into a data base and doing a DB lookup in Splunk, but want to see if there's a simpler way to do it.

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎05-16-2017 01:18 PM

Yep, it's actually trivial. 

your search that pulls the info giving _time, type, account, yourfield when present 
| sort 0 _time
| streamstats global=t last(yourfield) as lastyourfield by account

When I initially wrote that, I had an extra step in there as below, but since whenever yourfield exists, you want it, myfield is 100% the same as yourfield, so it is unneeded.

your search that pulls the info giving _time, type, account, yourfield when present 
| sort 0 _time
| eval myfield=if(type=a,yourfield,null())
| streamstats current=f global=t last(myfield) as lastyourfield by account

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎05-16-2017 01:18 PM

Yep, it's actually trivial. 

your search that pulls the info giving _time, type, account, yourfield when present 
| sort 0 _time
| streamstats global=t last(yourfield) as lastyourfield by account

When I initially wrote that, I had an extra step in there as below, but since whenever yourfield exists, you want it, myfield is 100% the same as yourfield, so it is unneeded.

your search that pulls the info giving _time, type, account, yourfield when present 
| sort 0 _time
| eval myfield=if(type=a,yourfield,null())
| streamstats current=f global=t last(myfield) as lastyourfield by account
Reply
Solved! Jump to solution

larryp
Explorer
‎05-16-2017 02:53 PM

Thank you!
I actually tried streamstats (forgot to mention that) but had 2 problems that you may have fixed - I was getting 10,000 results and assuming it was due to a memory limitation but “sort 0…” takes care of that, and hadn't tried “global=t” as I thought that was the default.
I'm trying with a larger data set.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎05-16-2017 07:05 PM

I believe you are correct about the default setting for global=t, but I change that option often enough that I like to specify it, just in case.

Yes, when I discovered the need for 0 in | sort 0, I had to go back and correct a couple of dozen answers of mine so that they would work if folks used them for large datasets.

What was the second problem you had with your earlier attempt?

0 Karma
Reply
Solved! Jump to solution

larryp
Explorer
‎05-17-2017 01:33 PM

The “global=t” issue, but turns out to be a non-issue as you pointed out.
Thanks for the answer! So simple in retrospect.
Not important, but in your unneeded solution (#2), ‘myfield’ and ‘yourfield’ equate to the field in question in type a and type b events? If so, there is no ‘yourfield’ in my example; however, I could see where, with ‘current=f’ and values for field in both type a and type b events, one may want to keep the most recent value prior to the current event's field value.

Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎05-17-2017 04:52 PM

Yes, that was my initial thinking, but then I deleted/simplified it as per the specifics of the question.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-16-2017 03:45 PM

@larryp - Did the answer provided by DalJeanis help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply
Solved! Jump to solution

larryp
Explorer
‎05-17-2017 01:26 PM

Yes, I've accepted the answer after running on a larger data set (18.5m results).

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...